Privacy

31783 readers
247 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
1
110
Tails 6.9 released (nice) (blog.torproject.org)
submitted 2 days ago* (last edited 2 days ago) by Charger8232@lemmy.ml to c/privacy@lemmy.ml
 
 

Happy Halloween! Tails released a small update, but it's nice to see that the software in Tails is getting updated more frequently!

Here are the major changes:

  • Update Tor Browser to 14.0.1.
  • Update the Tor client to 0.4.8.13.
  • Update Thunderbird to 115.16.0.
  • Fix automatic upgrades aborting with the error message "The upgrade could not be downloaded" even after a successful download. (#20593)

Alternative link: https://tails.net/news/version_6.9/

2
 
 

Two weeks ago, I made this post. The goal was simple: I wanted to dig into the details of Chromium and Firefox to see if the claims that Chromium is more secure than Firefox are true or not. You'll notice I also started turning that post into an update log, but only one update got released. There is a reason for that. Life suddenly got extremely busy for me, I could barely make time to continue researching. However, during that time, I spent a lot of time thinking about the issue. I tried breaking down the problem in a million different ways to find a way to simplify it and start from the ground up.

I came to a conclusion today, a realization. I have no way to put this gently: I cannot conclusively determine which one is more secure. This will upset many of you, and it upsets me too considering I maintain my own list of software that relies on only providing the most secure and private versions of some software. I need to explain why there cannot be a solid conclusion.

I managed to collect many sources to be used for the research. A lot of the information is parroting this article which, despite having many sources, fails to provide sources for some of the most crucial claims made there ("Fission in its current state is not as mature as Chromium's site isolation" has no source, for example). My favorite source is this Stanford paper which I think does a great job at tackling the problem. The problem I noticed is that a lot of privacy advice is given from an echo chamber.

Think about what privacy advice you like to give, and think about where you heard that. A YouTube video? Reddit? Lemmy? Naomi Brockwell gives a lot of advice that stems directly from Michael Bazzell's Extreme Privacy book, as I found out after reading it. Her videos about convincing people to use Signal are paraphrased passages from the book itself, which has a whole section about it. People touting Chromium as more secure than Firefox, or that the Play Store is a more secure option than F-Droid or Aurora Store, often get their information from GrapheneOS. I've never seen anyone research those in depth.

The point I'm trying to make is that a lot of privacy advice is circular reporting. I'm certain that if Michael Bazzell and GrapheneOS were to provide sources as to where they got their information (they rarely do, I checked) it would come to light that it boils down to a few real sources. GrapheneOS, no doubt, likely has inspected at least some part of the Firefox codebase, but Firefox is rapidly changing, so any sources that used to be true may not be true today.

FUTO Keyboard and GrayJay get recommended often because of Louis Rossmann, but HeliBoard and FreeTube (or NewPipe) were options long before those pieces of software. The reason the former became so recommended over the latter is simply because people used a popular figure, Louis Rossmann, as a primary source. It then became an echo chamber of recommendations and best practices.

That doesn't mean the claims of Chromium being more secure are false, but as a researcher it is very hard to credit something that doesn't provide any primary sources. In the eyes of a researcher, GrapheneOS's word holds just as much weight as a random internet user, without any proof. I see it play out like this: A source like GrapheneOS or Extreme Privacy makes a claim, secondary sources such as GrapheneOS users or Naomi Brockwell present this information without providing the sources, the general privacy community sees both, and begin giving the same recommendations on Reddit or Lemmy (sometimes with sources), and eventually the privacy community as a whole starts presenting that information, without any primary sources. Even if GrapheneOS, Extreme Privacy, or Louis Rossmann provided no research or direct comparisons, their word is taken without question and becomes the overarching recommendations in the privacy community. They each gained credibility in their own ways, but there should always be scrutiny when making a claim, no matter how credible.

The main reason why I cannot give a concrete conclusion is this: the focus on the article was to compare Chromium's Site Isolation to Firefox's implementation, however there are too many variables at play. Chromium may be more secure on one Linux distro than another. Debian is an example. Firefox supposedly has worse site isolation on Linux, but then how does Tails deal with that? It's based on Debian, so does that make it insecure for both browsers? Tor is based on Firefox ESR, which is an extended support release with less security, but Tor is also deemed a better option than Chromium browsers for anonymity. Isolating iframes doesn't really affect daily use, so is it really necessary to shame Firefox for that? Some variants of Firefox harden the browser for security, but some variants of Chromium (such as Brave Browser) try to enhance privacy. No matter what limits I set, how many operating systems or browser variants I set, there is no way to quantify which one is more secure.

"Is Chromium more secure? Yes, under XYZ conditions, with ABC variants, on IJK operating systems. Chromium variants XYZ are good for privacy, but ABC Firefox variants are better at privacy..." The article would be a mess. The idea for the article came because I was truly sick of the lack of true in-depth sources about the matter, and so I wanted to create that. I now realize it was a goal that is far too ambitious for me, or even a small group of people. Tor and Brave give different approaches to fingerprinting protection (blending in vs. randomizing), and there's no way to directly compare the two. The same goes for the security of each. There is no "Tails" for Chromium, but there is no "Vanadium" for Firefox. There's no one to one comparison for the code, because some of it is outside of the browser itself.

I regret making that initial post, because it set unrealistic expectations. It focused on a problem that can't tell the whole picture, and then promised to tell that whole picture. At a point, it comes down to threat model. Do you really need to squeeze out that extra privacy or security? Is someone going to go through that much effort? You know how to spot dark patterns, you know not to use privacy invasive platforms. Take a reality check. Both Chromium and Firefox are better than any proprietary alternatives, that's a fact. Don't bother trying to find the "perfect" Linux distro or browser for privacy and security, because you already don't use Windows. Privacy is a spectrum, and as long as you at least take some steps towards that, you've already done plenty.

Be careful next time you hear a software recommendation or a best practice. Be careful next time you recommend software or a best practice. Always think about where you heard that, and do your own research. There are some problems that are impossible or infeasible to solve, so just pick what you feel is best. I really am sorry that I wasn't able to provide what I promised, so instead I will leave a few of the sources I found helpful, just in case another ambitious person or group decides to research the matter. Not all of these sources are good, but it's a place to start:

https://www.cvedetails.com/version-list/0/3264/1/

https://en.wikipedia.org/wiki/Site_isolation

https://madaidans-insecurities.github.io/firefox-chromium.html

https://news.ycombinator.com/item?id=38588557

https://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

https://grapheneos.org/usage#web-browsing

https://www.reddit.com/r/browsers/comments/17vy1v5/reasons_firefox_is_more_secure_than_chrome/

https://www.wilderssecurity.com/threads/security-chromium-versus-firefox.450867/

https://forums.freebsd.org/threads/why-im-switching-from-firefox-to-ungoogled-chromium.87878/

GrapheneOS did not respond to my requests for a comment.

3
 
 

actually awesome and fast search engine (depending on which instance you use) with no trashy AI and ADs results also great for privacy, if you don't know which instance to use go to https://searx.space/ and choose an instance closest to you

4
 
 

To me, it’s gotta be the microphone

5
 
 

I'm investigating getting off the cell network permanently to avoid at least the constant triangulation of my position. I figured I'd look into getting a VoIP number and getting calls and texts over WiFi. I don't mind being unreachable when I'm not connected to a hotspot, so it's not a problem for me.

But before looking for a good VoIP provider, I decided to check if WiFi still worked in airplane mode. And indeed it works. But to my surprise, when I connected the WiFi, my cellphone provider's name also came right back up at the top right of the screen. In airplane mode? What the hell?

Long story short, after investigating a bit, I realized I had WiFi calling enabled. So I can in fact already get calls and texts without being on the cell network.

And I'm thinking, maybe that's good enough for privacy?

I mean I know SIMs leak information like ICCID / IMSI / IMEI so obviously they have no reason not to do that over WiFi also and that's not so hot.

But on the plus side, none of that information is linked to cell towers and location anymore - at least not precise location if I'm not on a VPN - the baseband processor is off and can't do whatever shady chit-chat it does with the SIM and the cell towers, and I can still use my normal phone numbers without having to change and tell a million people that I have new numbers if I go with VoIP.

Also, I don't store my contacts on my SIMs and I use a deGoogled Android. So I figure that limits how much adversarial software can exploit the SIMs to leak data.

So it seems to me that WiFi calling may be a good solution for me for better privacy without too many compromises.

Can you think of something I missed that I should know before using this feature?

6
 
 

Loops is a federated alternative to TikTok created by Pixelfed. Once it first came out, users were able to sign up for early access. Confirmation emails weren't sent right away, but today they announced that emails were being sent out, and registration is now closed.

I got a confirmation email today, attached in the image. I will be loosely documenting my experience, and may (no promises) make a writeup about it.

Wiz Khalifa would be proud

7
8
 
 

So I'm on the market for a 4G or 5G mobile hotspot with a build-in VPN client I can carry around in my backpack and connect my cellphone to. I've looked far and wide, and really the only manufacturer that seems to make what I want is GL.iNet.

The two battery-powered models they offer that interest me are the Mudi v2 and the Puli: they only do 4G and I wish they did 5G too, but I can live with that. Other than that, they really tick all the boxes for me.

From what I could read, the GL.iNet company also seems very open and very responsive. That's a plus too.

But I have one giant problem that prevents me from whipping out the credit card: GL.iNet is a Chinese company, and those products are sensitive applications. I know I can flash OpenWRT separately on those devices to ensure they're not doing stuff behind my back, but I don't really want to do that because I'd lose the GL.iNet plugins and custom UI. Not to mention, I have no free time for that. I'm looking for a ready-made solution if possible with this one.

Anybody knows if GL.iNet can be trusted?

Also, has anybody ordered from Europe using their EU store? They say they ship direct from Europe but they give no details.

And finally, what do you think of those two mobile VPN routers if you own one. Do they work well? I read somewhere that they can be buggy with certain VPN providers. Do they work in Europe? I assume they do since they sell EU plugs but maybe there are caveats.

9
73
submitted 1 week ago* (last edited 1 week ago) by Scolding7300@lemmy.world to c/privacy@lemmy.ml
 
 

As we rushed into the Web 2 era, privacy was left behind. There was a naive view that users could consent to something that was impossible to understand. The result was tracking and monitoring of every activity.

I chatted to Brendan Eich, the creator of JavaScript, Co-Founder of Brave, and the Co-founder of Mozilla. We talk about how the privacy landscape evolved on the internet, and the future of our technology-driven world.

00:00 The Serfs Have to Band Together! 00:51 Why Privacy Matters 04:30 Privacy Nihilism 06:29 The Rise of Extensions 11:48 Brave and Ads 15:06 Privacy is Now Marketable 16:31 Bridging the Divide Between Users 19:58 They Are Profiling You 21:50 Incentive for Government Control 23:30 Tech Optimism 24:48 Users Matter Most 28:57 Companies Can Make a Big Difference 31:47 UBlock Origin and Google 33:23 There is No End to Security 36:14 Braves Large Movement of Users 37:37 Decentralization Pays Off 38:00 Users Can Tilt Markets 38:55 What the Future Holds 39:39 Privacy Acceleration

We need more tools that make it possible to not only maintain privacy, but to still have a user-friendly experience at the same time. We, as users, need to fight back and demand it.

Brought to you by NBTV team members: Lee Rennie, Will Sandoval and Naomi Brockwell

Odysee link from the comments: https://odysee.com/@NaomiBrockwell:4/BRENDAN-EICH:9

10
20
submitted 1 week ago* (last edited 1 week ago) by rolling_resistance@lemmy.world to c/privacy@lemmy.ml
 
 

I have to use Whatsapp, unfortunately. Are there any good alternatives to the default app on Android?

I'm worried about all the data it shares with Meta. I denied all permissions but this makes it less convenient, and the app probably still sends over the data that available without them.

11
 
 

If you use the privacy respecting Gboard alternative called FUTO keyboard, you've probably noticed that the built in swipe typing is HOT GARBAGE. (Typing this currently with two thumbs for this exact reason.)

Most keyboards improve their swipe algorithms by simply spying on you and logging your typing data. FUTO isn't about that, so they have built a simple webpage based typing game that you can use to improve their system in an ethical and voluntary manner! Just swipe the website's keyboard to type a provided sentence.

I love this, they can crowdsource the improvement without invading privacy!

Share with any relevant communities you're a part of. The more data, the better this gets.

12
 
 

Okay the title is a bit exaggerated, but honestly not far off. This post is very mundane and a bit long, but thought it fits the community.

I'm visiting my home country and went shopping for pants, there were "30% off everything!" signs with a tiny text underneath that said "member discount" (don't have membership). Not a problem, did not notice and I don't care for such marketing tricks to get you into the store but okay.

Picked up couple of pants, went to the cashier and they asked me "do you have our membership?" - I answered no and expected the follow up question whether I'd like to join, but, to my positive surprise the cashier just happily responded "okay, not a problem!" and continued to bag my stuff.

I stood ready to pay and then the cashier said "now I just need your phone number and you can pay". Hold up. What. I did not expect that, I honestly had a burst of anger inside me (never gonna take it on a cashier, they are just doing their job). I asked nicely why do I need to give my phone number and I was told that to register me as a member so I can get the discount.

I declined and said I don't want to join and would like to just pay.

The entire interaction after questioning why they need my phone number was awkward, as if I had been the first person to decline, the weirdo, aluminum foil hat wearing hermit.

This was just one of many interactions in the recent years that make me feel as if I was a weirdo for not sharing all my info around. The worst is when everyone keeps telling me "its just an app, just download it and use that why do you make things complicated" or "just sign up you don't need to pay anything".

Thank you for reading my mundane rant, would you like to hear more? Just sign up for my weekly mailing list! ~~Your email will be shared with our 12 453 partners~~

13
 
 

Hi :)

I am trying to find a good privacy-friendly Android-Keyboard that supports more then just emojis. I used to use OpenBoard and also tried out FlorisBoard but both do not support stickers or gifs. So I was hoping anyone of you has some ideas :)

14
 
 

On a linux machine I ran lsof -i while running tor just cuz; and I saw this plaintext URL that tor connected to, It persists even after i restart it or change identity, it is probably harmless but still is there some kind of event going on?

15
 
 

After federal police came to an employee’s house to ask questions, encrypted messaging company Session has decided to leave Australia and switch to a foundation model based in Switzerland.

16
 
 
  • PayPal to Share Shopping Details
  • LinkedIn Opts You In for AI Data Sharing
  • 23andMe May Sell Your DNA Data
17
121
submitted 1 week ago* (last edited 1 week ago) by arscynic@slrpnk.net to c/privacy@lemmy.ml
 
 

If one chats/mails with a person using Windows, despite using secure private protocols, every message will be stored by Microsoft's Windoze Recall. Either I'm missing something but this feature seems like the most grotesque breach in online privacy/security.

What are ways to avoid this except for using obfuscated text?

18
85
submitted 1 week ago* (last edited 1 week ago) by czim@feddit.nl to c/privacy@lemmy.ml
 
 

I'm considering buying a new TV. There's plenty of posts about trying to find dumb TVs, comments like 'just don't connect it to the internet/network'.

What surprises me is that there isn't a good overview of (popular) TVs or brands with basic information, answering for each TV:

  • Can you use it as a basic TV by choosing not to enable smart features during setup?
  • Can you opt out by just not accepting a bunch of agreements?
  • Does it have a camera and/or microphone? Where in the device are these? Is there a physical disable switch for microphone?
  • Does it nag when not connected to any network?
  • Does it have higher than normal power usage when not able to phone home?
  • Has it been discovered to connect to public WiFi networks? Does it have the (theoretical) ability to connect to 5G mobile networks?

And similar.

There are extensive lists with a lot of detail about VPN services but nothing like that for TVs. Am I ignorant of a good source, or does this just not exist (yet)?

19
 
 

Swedish author and famous pro-Ukraine blogger Lars Wilderäng (Cornucopia) reports today that the Swedish security expert Karl Emil Nikka has revealed that Kagi is using the Kremlin propaganda tool Yandex as a backend for searches.

Wilderäng speculates this might mean search terms are leaking to Russia, while others worry about how Kremlin thus can get their talking points into western search results.

Security expert Karl Emil Nikka tells us that the search engine Kagi, popular among tech geeks, uses Russian Yandex, which was introduced after the full-scale invasion. This, of course, gives Russia the opportunity to look at what is searched for via Kagi.

Link (in Swedish), see 11:22 update: https://cornucopia.se/2024/10/uppdateras-ryssland-medger-bruk-av-c-stridsmedel-mot-ukraina-rysk-pilot-som-mordade-68-ukrainare-ihjalslagen-med-hammare-bland-de-allra-storsta-ryska-forlusterna-under-kriget-igar/

20
 
 

I saw a few VPN extensions on Mozilla's addon store but they require full access and is closed source . Foxy proxy seems open source and doesn't seem to be collecting any data for themselves and I'm hopping that combined with https sites only give the proxies which sites im visiting even if they wanted to sell me out CORRECT ME IF I'M WRONG THO . and i don't trust my isp much so it doesn't matter to me if they are selling that only but those vpn extensions will have acess to everything on every site . so yea feel free to correct me on anything and reccomend any .

edit : I don't want recommendations for vpn or any other way like changing dns etc . I just want to change the location on only firefox for android to get past some censorship and geo blocking . if you have any other way to achieve that or better extension than froxy proxy feel free to recommend .

edit : is there anyway to configure proxies on android firefox without using an extension ? i have access to about:config as i use fennec from fdroid .

21
22
 
 
23
0
submitted 8 months ago* (last edited 8 months ago) by Extrasvhx9he@lemmy.today to c/privacy@lemmy.ml
 
 

Been using signal for years and love it and got the majority of my contacts on to it. My question is how are usernames useful now? You still need to register with a phone number with signal to limit spam and bots afaik and I'm assuming you should protect your username just like you do your phone number anyways because spam, malicious files/messages, etc... What scenario is this addressing where an average person gives up their username to a stranger? The only one I can think of is online dating or other online interactions like on forums. Just seems this is just more tailored to the people who need to be pseudo-anonymous for whatever reason than an actual privacy feature. Even then for the anonymous people does that mean usernames will be able to be changed?

Tldr: Questioning what scenario does signal's new usernames address for the average Joe?

Edit: Just realized can be very useful for work relationships

24
 
 

cross-posted from: https://lemmy.world/post/12063839

Someone keeps trying to access my MS account

Like the title says, I’ve got yesterday an email with a code to access my Microsoft account and that made me suspicious because I wasn’t trying to login to my account. When I looked at the login attempts I saw that someone else was trying to access my account, I changed my password, activated TFA. Thinking of going through and buying a physical key like yubico to further secure my account. Any tips are appreciated.

25
view more: next ›